Posts

[OPINION] How AI will change Information Security

AI is become more more prevalent in basically every single research area; that is to my mind undeniable. I remember when using neural nets use to be experimental (or hip and cool), now you can download a python package that handles building and training them for you! So there is definitely a significant up trend in the prevalence of AI and machine learning based technology in research.  I would need to be a special kind of moron to not guess that this will also spill over into information security.  The question is how will this affect us infosec people?

Why Security exceptions shouldn't exist.

Image
There's something that happens in pentests more often than any pentester would like to admit. Security Exceptions, findings in a security assessment that get marked as "no need to fix" by the larger organization's security operation (usually). In this post I'm going to talk about why the philosophy of this idea is fundamentally broken and will not benefit any org that has such a policy enforced in such a way.


Why geeks should "get" fashion

Image
This post is about something I've been pondering for a while, why the really really insanely unique minds in the geek culture aren't getting involved in creating awesome clothes for people like them? Why don't geeks get into fashion design? We are definitely smart enough to do literally anything we can think of, what is it about fashion that makes classic tech nerds avoid it?











I work in an extremely technical industry (the computer/software/hacker/breaker/maker technical industry), that means I work with a lot of "nerds" who aren't considered the most "trendy" people. Now I totally totally get why these kinds of extremely intelligent people would not swoon every-time supreme makes a cross over with adidas lol here are a couple of reasons:


[RANT] Why Browsers are a crazy idea

Browsers pretty much govern how we interact with the internet, people built the internet realized they needed a way to exchange documents, someone came along and built this program that is kinda only meant only to display documents on the web and only to people in the military. This was fine for a couple years and eventually people started looking at the internet as less of a library and more of a communication platform and of course communication happens for various reasons few of which the internet and by extension browsers were actually designed for!


[Idea] False Biased Extraction for SQLi using Prime numbers

Image
I'm getting into this new style of blogging where I blog my unadulterated raw thoughts. Open to the ridicule of the entire world. Its liberating :) Its also very interesting to see how I make mistakes and what I learn from them, instead of just the monotonous, lifeless style of blogging what you got right or won at. So anyway here's todays thought...

A couple years ago, some dude from Immunity talked about how in "True"Blind SQLi it might be effective to favor responses that produce no-wait responses (here's the link: http://infiltratecon.com/miguelturner.html ). That is to say, if you are exploiting a Blind SQL injection vulnerability in which only time based responses are observable, it makes sense that responses that don't trigger sleeps or waits would get you information faster. Brilliant observation! This is quite clever because it allows you to throw the traditional computer science idea of efficiency out of the window (or rather the conventional idea c…

Abusing WebVTT and CORS for fun and profit

Image
WebVTT is a way html5 developers can display and cue text as subtitles for video formats. The grammar for WebVTT is pretty simple and as we know browsers are always willing to forgive any "weird" looking grammar in an effort to provide best effort experience for users. This post looks at ways to take advantage of WebVTT in some attack contexts in order to extract information or perform general DOM abuse.

Introduction
Video tags can make use of subtitle files, as follows:

WebVTT (subtitle) files need to follow this format:


The file merely describes cues, allows you to number them and associate a duration and display time for them. Display timestamps specify hours (hh), minutes (mm) , seconds (s) and milliseconds (ttt). According to my basically inspection of the grammar, most browser require you to respect the placeholders (significant figures) if you specify the magnitude. For instance, if you want to indicate hours you need to use both place holders, same goes for others. …

Stealing Secrets with CSS : Cross Origin CSS Attacks

Image
In this post I'm going to discuss a web attack that was designated CVE-2015-5826 and CVE-2015-1287 which abuses the way CSS parsing works in some browsers and expands the way we think about HTML injection attacks.

Labels

Show more